How are you logging in? If you are doing so via the URL /productMaint5/admin/login.html, that doesn't work. The J2EE security mechanism does not support direct access to the login page. You should be requesting a protected URL, which will automatically trigger the login process.

I don't see a protection (security-constraint) for /productMaint, so any attempt by a user should be allowed, including attempts by users who have not logged in.

An IDE is no substitute for an Intelligent Developer.

matthew hayes

Greenhorn

Posts: 4

posted 1 year ago

Thanks for the responses. I'm not sure what you mean when you ask if I added my User ID to the login roles. I am using a MySQL server where I have one database for the product information and a separate database that contains the security roles, user names and passwords for the JDBCRealm. I don't have any problem accessing the databases. The project works with the authentication, with the proper user name and password, it goes through. If you enter an incorrect name or pw, it goes to a login_error.html. The problem occurs when it goes through to the actual pages which use my servlet. Is there some way to post a screenshot of my netbeans project so you can see how the structure looks?

The model that J2EE Container-Managed security uses for authentication and authorization equates to 2 database tables. One table maps a (hopefully unique) userid to a password. The other maps userid (as a foreign key) to zero or more security roles. So JKR is asking if you made sure that you actually had added a userid/password into the user table so that there was someone to log in as.

I didn't ask that, because you should never get past login if there isn't - you'd either get sent to the loginfail page or get a 503 (Forbidden) response.

However, I must repeat this very important consideration: You cannot simply login by entering the URL of the login page on your client. The login page is designed to be presented by the container (Tomcat, Glassfish, WebSphere, or whatever server you're using) and processed by the server (no user-written login code). If someone pulls up the login page directly via URL request, the context that's needed to actually process the login will not have been activated.

The only way to get a proper login page (or dialog, depending on whether you're doing form-based authentication or not) is to request a protected URL, as defined by your web.xml security-constaint definitions. In that case login is automatically activated with the proper context.

Since you don't have the URL path for the /productMaint URL mapped to a security-constraint, that particular URL would not trigger a login, and user access would be available to everyone, whether they were logged in or not.

An IDE is no substitute for an Intelligent Developer.

matthew hayes

Greenhorn

Posts: 4

posted 1 year ago

Ok, but I don't think I'm trying to login by directly accessing the login page. I have an index.html page that is outside the secured portion of the project and that is the welcome page. That page has a link to get to the secured area and it is :

You don't "href" to a folder unless you intend to have the Default Servlet generate an index listing. And you usually don't do that because you have no control over the look-and-feel of the default folder index display.

Also, linking to "admin" won't match the "/admin/*" security URL pattern, since "/admin" isn't the same thing as "/admin/*".

I think what you're probably needing is to have the welcome page link to a specific page/servlet in the /admin folder, not simply to the folder.

Plus, that doesn't secure /productMaint. For that you need a separate URL pattern and role map.